Changelog History
Page 3
-
v2.7.0 Changes
December 22, 2020โ Avoid method redefinition warnings in verbose warning mode (jeremyevans)
Return expired access token error message in the JWT refresh feature when using an expired token when it isn't allowed (AlexyMatskevich) (#133)
๐ Allow Rodauth features to be preloaded, instead of always trying to require them (janko) (#136)
๐ง Use a default remember cookie path of '/', though this may cause problem with multiple Rodauth configurations on the same domain (janko) (#134)
โ Add auto_remove_recovery_codes? to the recovery_codes feature, for automatically removing the codes when disabling multifactor authentication (SilasSpet, jeremyevans) (#135)
-
v2.6.0 Changes
November 20, 2020Avoid loading features multiple times (janko) (#131)
โ Add around_rodauth method for running code around the handling of all Rodauth routes (bjeanes) (#129)
๐ Fix javascript for registration of multiple webauthn keys (bjeanes) (#127)
Add allow_refresh_with_expired_jwt_access_token? configuration method to jwt_refresh feature, for allowing refresh with expired access token (jeremyevans)
Promote setup_account_verification to public API, useful for automatically sending account verification emails (jeremyevans)
-
v2.5.0 Changes
October 22, 2020Add change_login_needs_verification_notice_flash for easier translation of change_login_notice_flash when using verify_login_change (bjeanes, janko, jeremyevans) (#126)
Add login_return_to_requested_location_path for controlling path to use as the requested location (HoneyryderChuck, jeremyevans) (#122, #123)
-
v2.4.0 Changes
September 21, 2020Add session_key_prefix for more easily using separate session keys when using multiple configurations (janko) (#121)
โ Add password_pepper feature for appending a secret key to passwords before they are hashed, supporting secret rotation (janko) (#119)
-
v2.3.0 Changes
August 21, 2020Return an error status instead of an invalid access token when trying to refresh JWT without an access token in the jwt_refresh feature (jeremyevans)
Allow {create,drop}_database_authentication_functions to work with UUID keys (monorkin, janko) (#117)
โ Add rodauth.login('login_type') for logging in after setting a valid account (janko) (#114)
Make new refresh token available to the after_refresh_token hook by setting it in the response first (jeremyevans)
๐ Make the jwt_refresh plugin call before_jwt_refresh_route hook (previously the configuration method was ignored) (AlexeyMatskevich) (#110)
Add login_email_regexp, login_not_valid_email_message, and log_valid_email? configuration methods (janko) (#107)
-
v2.2.0 Changes
July 20, 2020๐ Allow removing all jwt_refresh tokens when logging out by providing a value of "all" as the token to remove (jeremyevans)
๐ Allow removing specific jwt_refresh token when logging out by providing the token to remove (jeremyevans)
Avoid NoMethodError when checking if session is authenticated when using two factor auth, verify_account_grace_period, and email_auth (jeremyevans) (#105)
โฌ๏ธ Reduce queries in #authenticated? and #require_authentication when using two factor authentication (janko) (#106)
Treat verify_account_email_resend returning false as an error in the verify_account feature (jeremyevans)
๐ง Fix use of password_dictionary configuration method in password_complexity feature (jeremyevans)
โ Remove unnecessary conditionals (jeremyevans)
Add otp_last_use to the otp feature, returning the time of last successful OTP use (jeremyevans) (#103)
-
v2.1.0 Changes
June 09, 20200๏ธโฃ Do not check CSRF tokens by default for requests using JWT (janko, jeremyevans) (#99)
๐ Use new-password autocomplete value for password field when creating accounts (jeremyevans) (#98)
Consistently use json_response_body for all JSON responses in jwt feature (arthurmmoreira) (#97)
โ Add check_csrf configuration method to customize CSRF checking (janko) (#96)
Have logged_in? when using http_basic_auth feature check for basic authentication (jeremyevans) (#94)
Don't consider account open if in unverified grace period without password (janko) (#92)
-
v2.0.0 Changes
May 06, 2020Do not show email auth as an option for unverified accounts if using the verify_account_grace_period feature (jeremyevans) (#88)
Generate unlock account key outside of send_unlock_account_email, similar to other email methods (janko) (#89)
0๏ธโฃ Default otp_drift to 30 in the otp feature (jeremyevans)
Add rodauth.require_http_basic_auth to http_basic_auth feature, similar to require_login (janko) (#86)
Rename require_http_basic_auth to require_http_basic_auth? in http_basic_auth feature (janko) (#86)
Change http_basic_auth feature to use rodauth.http_basic_auth for handling basic authentication, similar to rodauth.load_memory (janko) (#86)
Do not call already_logged_in if logged in when accessing verify_login_change page (janko) (#87)
HTML id attributes now use - instead of _ in recovery_codes and remember features (jeremyevans)
Allow *_path and *_url methods to accept a hash of query parameters (janko) (#84)
๐ Use a danger button when closing accounts (janko) (#83)
๐ Handle invalid form inputs in a more bootstrap compatible manner (janko) (#83)
๐ Use standard vertical Bootstrap forms instead of horizontal forms in templates (janko) (#83)
๐ Make templates compatible with Bootstrap 4, and still display correctly with Bootstrap 3 (janko) (#83)
Add check_csrf_opts and check_csrf_block for arguments to the check_csrf! call before Rodauth route dispatching (jeremyevans)
โ Add audit_logging feature, logging changes to a database table (jeremyevans)
โ Add hook_action configuration method, called after all before/after hooks (jeremyevans)
Enable email rate limiting by default in lockout, reset_password, and verify_account features (jeremyevans)
Add session_expiration_error_status method to the session_expiration feature, used for JSON requests where session has expired (jeremyevans)
โ Add domain configuration method to set an explicit domain, instead of relying on the host of the request (jeremyevans)
Add inactive_session_error_status to single_session feature, used for JSON requests where session is no longer active (jeremyevans)
Prevent use of previous JWT access tokens after refresh when using jwt_refresh and active_sessions features (jeremyevans)
Change default setting of jwt_check_accept? from false to true in the jwt feature (jeremyevans)
0๏ธโฃ Automatically check CSRF tokens before calling any Rodauth route by default, allow disabling using check_csrf? false (jeremyevans)
โ Add translate(key, default_value) configuration method and have it affect all translatable content (jeremyevans)
Add *_page_title configuration methods for all *_view configuration methods (jeremyevans)
๐ Default to using Roda's route_csrf plugin for CSRF support, with :csrf=>:rack_csrf available for using rack_csrf (jeremyevans)
๐ Allow ability for user to fix an incorrect login when requesting a password reset (janko, jeremyevans) (#76)
Add two_factor_auth_return_to_requested_location? to support returning to original page after successful second factor authentication (janko) (#69)
Add login_return_to_requested_location? to support returning to original page after successful login (janko) (#69)
Add rodauth.require_password_authentication method to confirm_password feature (janko, jeremyevans) (#75)
๐ Make remember feature no longer depend on confirm_password (janko) (#79)
Replace {create_account,reset_password_request,verify_account_resend}_link configuration methods with *_link_text (janko) (#77)
Remove remembered_session_key configuration method, no longer needed (janko) (#80)
Add rodauth.possible_authentication_methods for the available authentication methods for the account (jeremyevans)
โ Add active_sessions feature for disabling session reuse after logout, and allowing global logout of all sessions (jeremyevans)
๐ Add webauthn_verify_account feature for passwordless WebAuthn setup during account verification (jeremyevans)
๐ Allow confirm_password feature to operate as second factor authentication if using webauthn login (jeremyevans)
โ Add webauthn_login feature for passwordless login via WebAuthn (jeremyevans)
Do not allow two factor authentication using same type as primary authentication (jeremyevans)
0๏ธโฃ Do not require passwords by default if the account does not have a password (jeremyevans)
Remove clear_remembered_session_key and two_factor_session_key configuration methods, no longer needed (jeremyevans)
Store authentication methods used in the session, available via rodauth.authenticated_by (jeremyevans)
0๏ธโฃ Do not require login confirmation by default if verifying accounts or login changes (jeremyevans)
Add mark_input_fields_with_inputmode? and inputmode_for_field? configuration methods for controlling inputmode (jeremyevans)
๐ Support and enable inputmode=numeric attributes by default for otp auth code and sms code fields (jeremyevans)
Add sms_phone_input_type and default to tel instead of using text for SMS phone input (jeremyevans)
Add mark_input_fields_with_autocomplete? and autocomplete_for_field? configuration methods for controlling autocomplete (jeremyevans)
๐ Support and enable autocomplete attributes by default for fields (jeremyevans)
๐ Add login_uses_email? configuration method for whether to treat logins as email addresses (jeremyevans)
โ Remove the verify change login feature, users should switch to the verify login change feature (jeremyevans)
Change default setting of json_response_success_key to success in the jwt feature (jeremyevans)
โ Remove deprecated account_model configuration method (jeremyevans)
Remove all deprecated configuration and runtime method aliases in the lockout, verify_account, email_auth, reset_password, and verify_login_change features (jeremyevans)
Remove deprecated before_otp_authentication_route configuration method (jeremyevans)
Change default setting of login_input_type to email if login_column is :email (jeremyevans)
Change default setting of mark_input_fields_as_required? to true (jeremyevans)
Change default setting of verify_account_set_password? in verify_account feature to true (jeremyevans)
Change default setting of json_response_custom_error_status? in jwt feature to true (jeremyevans)
โ Add auto_add_recovery_codes? configuration method to recovery codes feature, and default to false (jeremyevans)
๐ง Add base_url configuration method to set an explicit base for URLs, instead of relying on the base_url of the request (jeremyevans)
โ Add webauthn feature to handle WebAuthn authentication (jeremyevans)
๐ Fix corner cases when disabling a second factor when multiple second factors have been setup (jeremyevans)
Don't override second factor used to authenticate when setting up additional second factor authentication (jeremyevans)
โ Add two factor auth, manage, and disable pages (jeremyevans)
โฌ๏ธ Drop support for Ruby 1.8 (jeremyevans)
-
v1.23.0 Changes
March 06, 2020โ Remove specs from the gem to reduce gem size by over 20% (jeremyevans)
๐ Make rodauth.authenticated? return true on OTP setup page (jeremyevans) (#68)
Display link to email auth request form when user has entered login and incorrect password if using email_auth feature (janko) (#65)
Add *_path and *_url methods for all *_route methods (janko) (#64)
โ Add send_email configuration method for configuring how email is sent (janko) (#63)
-
v1.22.0 Changes
October 29, 2019โ Add jwt_cors feature to handle Cross-Origin Resource Sharing when using the jwt feature (jeremyevans)
โ Add space before newline after links in email, fixing issues with some webmail providers with broken autolinkers (jeremyevans)